diff options
| author | Alexey Dobriyan <adobriyan@gmail.com> | 2008-10-08 05:35:08 -0400 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2008-10-08 05:35:08 -0400 |
| commit | c04d05529a6e0bf97183a2caf76a0c7f07f5b78c (patch) | |
| tree | 9d4df449b3a294b150d1c77ac4a4767e27e4a5df | |
| parent | 802507071b72ed5025747126099cbc6d1542f596 (diff) | |
netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_checksum sysctl
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
| -rw-r--r-- | include/net/netfilter/nf_conntrack.h | 1 | ||||
| -rw-r--r-- | include/net/netns/conntrack.h | 1 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 | ||||
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_dccp.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_udp.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_udplite.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_standalone.c | 7 |
10 files changed, 11 insertions, 12 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index c95561050f78..b76a8685b5b5 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
| @@ -287,7 +287,6 @@ static inline int nf_ct_is_untracked(const struct sk_buff *skb) | |||
| 287 | 287 | ||
| 288 | extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); | 288 | extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); |
| 289 | extern unsigned int nf_conntrack_htable_size; | 289 | extern unsigned int nf_conntrack_htable_size; |
| 290 | extern int nf_conntrack_checksum; | ||
| 291 | extern int nf_conntrack_max; | 290 | extern int nf_conntrack_max; |
| 292 | 291 | ||
| 293 | #define NF_CT_STAT_INC(net, count) \ | 292 | #define NF_CT_STAT_INC(net, count) \ |
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index 2b50758df6a1..38b6dae4d3de 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h | |||
| @@ -17,6 +17,7 @@ struct netns_ct { | |||
| 17 | #ifdef CONFIG_NF_CONNTRACK_EVENTS | 17 | #ifdef CONFIG_NF_CONNTRACK_EVENTS |
| 18 | struct nf_conntrack_ecache *ecache; | 18 | struct nf_conntrack_ecache *ecache; |
| 19 | #endif | 19 | #endif |
| 20 | int sysctl_checksum; | ||
| 20 | #ifdef CONFIG_SYSCTL | 21 | #ifdef CONFIG_SYSCTL |
| 21 | struct ctl_table_header *sysctl_header; | 22 | struct ctl_table_header *sysctl_header; |
| 22 | #endif | 23 | #endif |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 2e4dd3fb0022..75871b1dd8a8 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
| @@ -270,7 +270,7 @@ static ctl_table ip_ct_sysctl_table[] = { | |||
| 270 | { | 270 | { |
| 271 | .ctl_name = NET_IPV4_NF_CONNTRACK_CHECKSUM, | 271 | .ctl_name = NET_IPV4_NF_CONNTRACK_CHECKSUM, |
| 272 | .procname = "ip_conntrack_checksum", | 272 | .procname = "ip_conntrack_checksum", |
| 273 | .data = &nf_conntrack_checksum, | 273 | .data = &init_net.ct.sysctl_checksum, |
| 274 | .maxlen = sizeof(int), | 274 | .maxlen = sizeof(int), |
| 275 | .mode = 0644, | 275 | .mode = 0644, |
| 276 | .proc_handler = &proc_dointvec, | 276 | .proc_handler = &proc_dointvec, |
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index 205ba399d4a3..ace66cbf9215 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
| @@ -188,7 +188,7 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | |||
| 188 | } | 188 | } |
| 189 | 189 | ||
| 190 | /* See ip_conntrack_proto_tcp.c */ | 190 | /* See ip_conntrack_proto_tcp.c */ |
| 191 | if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING && | 191 | if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && |
| 192 | nf_ip_checksum(skb, hooknum, dataoff, 0)) { | 192 | nf_ip_checksum(skb, hooknum, dataoff, 0)) { |
| 193 | if (LOG_INVALID(IPPROTO_ICMP)) | 193 | if (LOG_INVALID(IPPROTO_ICMP)) |
| 194 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, | 194 | nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, |
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index df04de91e6ef..fa12e57749ab 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | |||
| @@ -187,7 +187,7 @@ icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | |||
| 187 | return -NF_ACCEPT; | 187 | return -NF_ACCEPT; |
| 188 | } | 188 | } |
| 189 | 189 | ||
| 190 | if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING && | 190 | if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && |
| 191 | nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) { | 191 | nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) { |
| 192 | nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL, | 192 | nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL, |
| 193 | "nf_ct_icmpv6: ICMPv6 checksum failed\n"); | 193 | "nf_ct_icmpv6: ICMPv6 checksum failed\n"); |
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c index 6ead8da3e9e6..769680e68b5e 100644 --- a/net/netfilter/nf_conntrack_proto_dccp.c +++ b/net/netfilter/nf_conntrack_proto_dccp.c | |||
| @@ -575,7 +575,7 @@ static int dccp_error(struct net *net, struct sk_buff *skb, | |||
| 575 | } | 575 | } |
| 576 | } | 576 | } |
| 577 | 577 | ||
| 578 | if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING && | 578 | if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && |
| 579 | nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP, | 579 | nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP, |
| 580 | pf)) { | 580 | pf)) { |
| 581 | msg = "nf_ct_dccp: bad checksum "; | 581 | msg = "nf_ct_dccp: bad checksum "; |
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index b5d62d66e02c..131c9be4470a 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
| @@ -780,7 +780,7 @@ static int tcp_error(struct net *net, | |||
| 780 | * because the checksum is assumed to be correct. | 780 | * because the checksum is assumed to be correct. |
| 781 | */ | 781 | */ |
| 782 | /* FIXME: Source route IP option packets --RR */ | 782 | /* FIXME: Source route IP option packets --RR */ |
| 783 | if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING && | 783 | if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && |
| 784 | nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) { | 784 | nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) { |
| 785 | if (LOG_INVALID(IPPROTO_TCP)) | 785 | if (LOG_INVALID(IPPROTO_TCP)) |
| 786 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, | 786 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, |
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c index e0ee89e179c1..3d3fffe3f8b9 100644 --- a/net/netfilter/nf_conntrack_proto_udp.c +++ b/net/netfilter/nf_conntrack_proto_udp.c | |||
| @@ -123,7 +123,7 @@ static int udp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff, | |||
| 123 | * We skip checking packets on the outgoing path | 123 | * We skip checking packets on the outgoing path |
| 124 | * because the checksum is assumed to be correct. | 124 | * because the checksum is assumed to be correct. |
| 125 | * FIXME: Source route IP option packets --RR */ | 125 | * FIXME: Source route IP option packets --RR */ |
| 126 | if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING && | 126 | if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && |
| 127 | nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) { | 127 | nf_checksum(skb, hooknum, dataoff, IPPROTO_UDP, pf)) { |
| 128 | if (LOG_INVALID(IPPROTO_UDP)) | 128 | if (LOG_INVALID(IPPROTO_UDP)) |
| 129 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, | 129 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, |
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c index c5b77c8f86c2..3d1697c4f916 100644 --- a/net/netfilter/nf_conntrack_proto_udplite.c +++ b/net/netfilter/nf_conntrack_proto_udplite.c | |||
| @@ -129,7 +129,7 @@ static int udplite_error(struct net *net, | |||
| 129 | } | 129 | } |
| 130 | 130 | ||
| 131 | /* Checksum invalid? Ignore. */ | 131 | /* Checksum invalid? Ignore. */ |
| 132 | if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING && | 132 | if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && |
| 133 | nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP, | 133 | nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP, |
| 134 | pf)) { | 134 | pf)) { |
| 135 | if (LOG_INVALID(IPPROTO_UDPLITE)) | 135 | if (LOG_INVALID(IPPROTO_UDPLITE)) |
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 64b4f95b367e..5cd066379779 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c | |||
| @@ -322,9 +322,6 @@ static void nf_conntrack_standalone_fini_proc(struct net *net) | |||
| 322 | 322 | ||
| 323 | /* Sysctl support */ | 323 | /* Sysctl support */ |
| 324 | 324 | ||
| 325 | int nf_conntrack_checksum __read_mostly = 1; | ||
| 326 | EXPORT_SYMBOL_GPL(nf_conntrack_checksum); | ||
| 327 | |||
| 328 | #ifdef CONFIG_SYSCTL | 325 | #ifdef CONFIG_SYSCTL |
| 329 | /* Log invalid packets of a given protocol */ | 326 | /* Log invalid packets of a given protocol */ |
| 330 | static int log_invalid_proto_min = 0; | 327 | static int log_invalid_proto_min = 0; |
| @@ -360,7 +357,7 @@ static ctl_table nf_ct_sysctl_table[] = { | |||
| 360 | { | 357 | { |
| 361 | .ctl_name = NET_NF_CONNTRACK_CHECKSUM, | 358 | .ctl_name = NET_NF_CONNTRACK_CHECKSUM, |
| 362 | .procname = "nf_conntrack_checksum", | 359 | .procname = "nf_conntrack_checksum", |
| 363 | .data = &nf_conntrack_checksum, | 360 | .data = &init_net.ct.sysctl_checksum, |
| 364 | .maxlen = sizeof(unsigned int), | 361 | .maxlen = sizeof(unsigned int), |
| 365 | .mode = 0644, | 362 | .mode = 0644, |
| 366 | .proc_handler = &proc_dointvec, | 363 | .proc_handler = &proc_dointvec, |
| @@ -425,6 +422,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net) | |||
| 425 | goto out_kmemdup; | 422 | goto out_kmemdup; |
| 426 | 423 | ||
| 427 | table[1].data = &net->ct.count; | 424 | table[1].data = &net->ct.count; |
| 425 | table[3].data = &net->ct.sysctl_checksum; | ||
| 428 | 426 | ||
| 429 | net->ct.sysctl_header = register_net_sysctl_table(net, | 427 | net->ct.sysctl_header = register_net_sysctl_table(net, |
| 430 | nf_net_netfilter_sysctl_path, table); | 428 | nf_net_netfilter_sysctl_path, table); |
| @@ -474,6 +472,7 @@ static int nf_conntrack_net_init(struct net *net) | |||
| 474 | ret = nf_conntrack_standalone_init_proc(net); | 472 | ret = nf_conntrack_standalone_init_proc(net); |
| 475 | if (ret < 0) | 473 | if (ret < 0) |
| 476 | goto out_proc; | 474 | goto out_proc; |
| 475 | net->ct.sysctl_checksum = 1; | ||
| 477 | ret = nf_conntrack_standalone_init_sysctl(net); | 476 | ret = nf_conntrack_standalone_init_sysctl(net); |
| 478 | if (ret < 0) | 477 | if (ret < 0) |
| 479 | goto out_sysctl; | 478 | goto out_sysctl; |